Page MenuHomePhabricator
Create Task
Maniphest T400249

SessionBackend should save sessions at the end of the request (and only there)
Closed, ResolvedPublic
Actions

Description

SessionBackend::save() can be triggered directly, e.g when persisting the session. It will also be called automatically whenever the last Session bound to that SessionBackend is destructed. Those are both somewhat problematic:

It would be better to do these saves at some deterministic point in time, presumably somewhere around MediaWikiEntryPoint::commitMainTransaction() (as it needs to be soon enough to influence cookie headers, but late enough to include all session changes).

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
SessionManager: Remove session saves in session destructormediawiki/coremaster+0 -52
SessionManager: Add $sessionWriteReason to shutdown and when saves are triggered from the destructormediawiki/corewmf/1.45.0-wmf.12+2 -0
SessionManager: Add $sessionWriteReason to shutdown and when saves are triggered from the destructormediawiki/coremaster+2 -0
Customize query in gerrit

Related Objects
Search...

Event Timeline

Tgr created this task.Jul 23 2025, 11:15 AM
Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptJul 23 2025, 11:15 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Tgr mentioned this in T400113: Circular dependency due to random Session object calling UserNameUtils service.Jul 23 2025, 11:16 AM
Tgr updated the task description. (Show Details)
matmarex subscribed.Jul 23 2025, 1:56 PM
matmarex updated the task description. (Show Details)Jul 23 2025, 2:03 PM
matmarex renamed this task from SessionBackend should save sessions at the end of the reqeust to SessionBackend should save sessions at the end of the request.Jul 23 2025, 2:17 PM
Hokwelum claimed this task.Jul 28 2025, 10:07 AM
JTweed-WMF added a parent task: T398814: WE5.1.1 Session storage protection.Jul 28 2025, 2:54 PM
JTweed-WMF moved this task from Inbox, needs triage to Next (DO NOT USE) on the MediaWiki-Platform-Team board.
daniel subscribed.Jul 29 2025, 12:16 PM

In T400113#11042622 I suggested to a DeferredUpdate to ensure that the session gets saved at the end of the request. We already have mechanisms in place that prevent deferred updates from piling up in tests and job runners, so we'd automatically benefit from that.

Hokwelum added a comment.Jul 30 2025, 5:02 PM

Hello @Tgr , I’ve been trying to come up with a scenario where session::save is called from destruct, but I haven't been able to.

Before Destruct gets called, shutdown is called to set $this->shutdown to true, which in turn influences the session save in deregisterSession.
It might also be useful to point out that we currently also do session::save in
MediaWikiEntryPoint::commitMainTransaction().

Tgr added a comment.Jul 30 2025, 10:17 PM

rMW5f010ef32ed2: session: Move SessionManager::getGlobalSession() to WebRequest (which is getting deployed this week) reduced the number of Session objects created and destroyed a lot. Before that, saves at random times were common. Not sure how much of a problem it is now; the Session object for the global session is stored in the WebRequest object in RequestContext, which will be around until the end of the request, so that Session won't be destructed before shutdown. You'd probably need to look for code which constructs a FauxRequest and then fetches a session from that request. Or for non-WebRequest-related SessionManager::getSession* calls. Neither of those might happen much.

Maybe you could start by logging it - we are already logging saves and using $sessionWriteReason to track what triggered it, but we are not setting it in the destructor or the shutdown handler, so you could add that and then after a few days in production check how often we have destructor-triggered saves. You could also temporarily add a stack trace to conveniently get reproduction steps.

gerritbot added a comment.Aug 1 2025, 3:42 PM

Change #1175138 had a related patch set uploaded (by Hokwelum; author: Hokwelum):

[mediawiki/core@master] SessionManager: Temporarily add debug logging for session saves during shutdown or in destructor

https://gerrit.wikimedia.org/r/1175138

gerritbot added a project: Patch-For-Review.Aug 1 2025, 3:42 PM
Tgr added a comment.Aug 1 2025, 5:17 PM

The dashboard for the session write logs is here.

matmarex renamed this task from SessionBackend should save sessions at the end of the request to SessionBackend should save sessions at the end of the request (and only there).Aug 4 2025, 4:46 PM
matmarex mentioned this in T400950: Session destructor can trigger RecursiveServiceDependencyException on CI.
gerritbot added a comment.Aug 4 2025, 7:00 PM

Change #1175138 merged by jenkins-bot:

[mediawiki/core@master] SessionManager: Add $sessionWriteReason to shutdown and when saves are triggered from the destructor

https://gerrit.wikimedia.org/r/1175138

gerritbot added a comment.Aug 4 2025, 7:07 PM

Change #1175574 had a related patch set uploaded (by Bartosz Dziewoński; author: Hokwelum):

[mediawiki/core@wmf/1.45.0-wmf.12] SessionManager: Add $sessionWriteReason to shutdown and when saves are triggered from the destructor

https://gerrit.wikimedia.org/r/1175574

ReleaseTaggerBot added a project: MW-1.45-notes (1.45.0-wmf.13; 2025-08-05).Aug 4 2025, 8:00 PM
gerritbot added a comment.Aug 4 2025, 8:55 PM

Change #1175574 merged by jenkins-bot:

[mediawiki/core@wmf/1.45.0-wmf.12] SessionManager: Add $sessionWriteReason to shutdown and when saves are triggered from the destructor

https://gerrit.wikimedia.org/r/1175574

Stashbot mentioned this in T398177: 'renameuser' logs for a global rename use actor ID from metawiki instead of the local one when created by the fixStuckGlobalRename.php script.Aug 4 2025, 8:55 PM

Mentioned in SAL (#wikimedia-operations) [2025-08-04T20:55:37Z] <cjming@deploy1003> Started scap sync-world: Backport for [[gerrit:1175511|Clear edit count when unattaching local users for rename (T313900)]], [[gerrit:1175512|fixStuckGlobalRename: Fix using actor_id from the wrong wiki (T398177)]], [[gerrit:1175574|SessionManager: Add $sessionWriteReason to shutdown and when saves are triggered from the destructor (T400249)]]

Stashbot mentioned this in T313900: Renaming a user doubles their edit count according to CentralAuthUser::getGlobalEditCount() / global_edit_count.gec_count field.Aug 4 2025, 8:55 PM

Mentioned in SAL (#wikimedia-operations) [2025-08-04T20:57:14Z] <cjming@deploy1003> matmarex, cjming: Backport for [[gerrit:1175511|Clear edit count when unattaching local users for rename (T313900)]], [[gerrit:1175512|fixStuckGlobalRename: Fix using actor_id from the wrong wiki (T398177)]], [[gerrit:1175574|SessionManager: Add $sessionWriteReason to shutdown and when saves are triggered from the destructor (T400249)]] synced to the testservers (see https://wikitech.wikimedia.org/w

ReleaseTaggerBot edited projects, added MW-1.45-notes (1.45.0-wmf.12; 2025-07-29); removed MW-1.45-notes (1.45.0-wmf.13; 2025-08-05).Aug 4 2025, 9:02 PM
Stashbot added a comment.Aug 4 2025, 9:03 PM

Mentioned in SAL (#wikimedia-operations) [2025-08-04T21:03:13Z] <cjming@deploy1003> Finished scap sync-world: Backport for [[gerrit:1175511|Clear edit count when unattaching local users for rename (T313900)]], [[gerrit:1175512|fixStuckGlobalRename: Fix using actor_id from the wrong wiki (T398177)]], [[gerrit:1175574|SessionManager: Add $sessionWriteReason to shutdown and when saves are triggered from the destructor (T400249)]] (duration: 07m 36s)

Maintenance_bot removed a project: Patch-For-Review.Aug 4 2025, 9:32 PM
matmarex added a comment.Aug 4 2025, 10:04 PM
In T400249#11054442, @Tgr wrote:

The dashboard for the session write logs is here.

Thanks for the link. First log entries are in, and there are no __destruct calls logged as yet (as expected), but there are some shutdown calls (surprising to me): https://logstash.wikimedia.org/goto/a0bbe70ac793f3ab7a0dc6fdce44148e. They are all for completely normal logged-in page views, where I would expect commitMainTransaction() to be called first, so I don't know how they can happen. One idea is that something is causing these writes after that point, but I'm not sure if that's possible.

(Even if we need to keep the code in both shutdown() and commitMainTransaction(), having two places where sessions can be saved would still be much better than infinitely many places.)

Tgr added a comment.Aug 5 2025, 9:19 PM
In T400249#11059388, @matmarex wrote:

there are no __destruct calls logged as yet

Nice, I didn't expect there to be zero, but it seems like your patch got rid of that path entirely then.
@Hokwelum we might still want to do this task because of __destruct calls in unit tests being annoying (per T400950), but it looks like the only way to trigger it is manually via custom code. Something like

$r = new \MediaWiki\Request\WebRequest();
$s = $r->getSession();
unset( $s );

should do the trick I think.

[shutdown calls] are all for completely normal logged-in page views, where I would expect commitMainTransaction() to be called first, so I don't know how they can happen. One idea is that something is causing these writes after that point, but I'm not sure if that's possible.

All the entries have dataDirty: true, metaDirty: false, they are all logged-in users, and almost all (though not all) have referers indicating the user just arrived from a different domain. And it's happening on non-SUL wikis as well (well, happened exactly once, but those wikis don't get many requests). Not sure what to make of it. I looked at a few random reqIds, and it's always the only log record for that request (although session writes are sampled, so that doesn't mean there weren't other writes).

Hokwelum added a comment.Aug 5 2025, 10:43 PM

Thanks @Tgr! I'll do that and see how it goes!

Hokwelum added a comment.Aug 6 2025, 6:02 PM

Is it safe to remove the test referencing the destructor function for the test files, or do we move that to the test to make the test pass? CC @Tgr @matmarex

Tgr added a comment.Aug 6 2025, 8:24 PM

Which test do you mean? At a glance, I don't see anything destructor-related in SessionBackendTest.
In general, if the test checks some behavior that's still relevant after the refactoring, it should ideally be kept, otherwise not.

gerritbot added a comment.Aug 7 2025, 7:38 PM

Change #1176542 had a related patch set uploaded (by Hokwelum; author: Hokwelum):

[mediawiki/core@master] SessionManager: Remove session saves in session destructor

https://gerrit.wikimedia.org/r/1176542

gerritbot added a project: Patch-For-Review.Aug 7 2025, 7:38 PM
gerritbot added a comment.Aug 11 2025, 10:28 PM

Change #1176542 merged by jenkins-bot:

[mediawiki/core@master] SessionManager: Remove session saves in session destructor

https://gerrit.wikimedia.org/r/1176542

Maintenance_bot removed a project: Patch-For-Review.Aug 11 2025, 10:30 PM
ReleaseTaggerBot edited projects, added MW-1.45-notes (1.45.0-wmf.14; 2025-08-12); removed MW-1.45-notes (1.45.0-wmf.12; 2025-07-29).Aug 11 2025, 11:00 PM
matmarex closed this task as Resolved.Aug 11 2025, 11:04 PM
matmarex added a parent task: T400950: Session destructor can trigger RecursiveServiceDependencyException on CI.
matmarex mentioned this in T402602: Storing objects in session data causes unnecessary session writes, and emits spurious warnings with $wgPHPSessionHandling = 'warn'.Aug 21 2025, 10:47 PM
Tgr mentioned this in T404691: RenderTranslationPageJob: Sessions can only be imported when none is active..Sep 23 2025, 5:31 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits